2022 data privacy forecast: 'draconian' policies and an ad industry in search of answers
On the heels of a handful of developments across the globe, including new data protection bills signed into law by both China and Saudi Arabia, experts speculate on how the data privacy legislative landscape will shape up in the coming year and beyond.
Experts spell out their predictions for what's next in data privacy legislation
As 2021 draws to a close, India, Canada, Vietnam, South Korea and a smattering of countries around the world are reviewing proposed data privacy bills. Meanwhile, recent amendments to Japan’s Act on the Protection of Personal Information will go into effect early next year and Australia is in the process of amending its 1988 privacy legislation. In the US, more than 25 state-level data privacy bills remain in limbo in various stages in committees.
Even with so much momentum, however, data privacy bills and amendments in the US and abroad are generally difficult to pass and sign into law. The pace of regulatory action lags far behind the pace of most market movements – and in lieu of comprehensive, consent-based data privacy laws on the national level, tech companies like Apple and Google are increasingly setting the ground rules for consumer data privacy and advertising industry groups are setting their own self-regulating standards.
The Drum surveyed a handful of experts about what’s next for data privacy legislation. Here’s what they said.
Prediction 1: US federal legislation, though desired, remains a long shot
Jessica B Lee, partner and co-chair of privacy, security and data innovations, Loeb & Loeb: Achieving federal legislation is highly unlikely in the next year or two. Next year, we will be halfway through Biden’s first term and facing the midterm elections. In addition to pulling us out of the pandemic, addressing issues of the supply chain and inflation, Biden’s biggest priority will likely be passing his signature legislation, Build Back Better. While we have had a number of bills introduced and hearings and interest around privacy, I remain skeptical that enough political resources will be devoted to privacy before Build Back Better gets passed. We will have to see what the political landscape looks like after 2002. If the Democrats hold both the House and the Senate, then we may see privacy legislation before 2024. If they lose one [or the other], then I think we are in a legislative deadlock until 2024. The opportunity here is that comprehensive privacy legislation is desired by both parties, consumer advocates, and industry – everyone wants to see this happen. The question is how and what form it will take and its hashing out those sticking points – particularly around the scope of preemption and a private right of action that will slow the process.
Stu Ingis, coordinator, Privacy for America: Passing comprehensive federal privacy legislation remains a real possibility, because unlike many policy debates, there is actually a great deal of consensus across the ideological spectrum. A full 92% of voters – including 95% of Democrats and 89% of Republicans – say passing federal privacy legislation is very or somewhat important, according to a recent survey commissioned by Privacy for America… This means we have both a significant opportunity and a significant need to create a national privacy standard, and federal policymakers must prioritize doing so. We remain optimistic that they will. An additional impetus to action is the growing patchwork of state laws that confuse consumers, increase compliance costs for businesses, and threaten the many benefits that accompany the responsible use of data. The FTC will propose broad privacy rules next year at the same time as Congress is debating these issues. While the advertising industry would welcome uniform privacy rules, creating law through regulatory fiat is a recipe for bad policy that could have negative implications on important business practices and the economy.
Fiona Davis, chief operating officer, Captify: The news from the Biden administration this week [that the National Telecommunication and Information Administration – part of the US Commerce Department – will hold ‘listening sessions’ and solicit input on the interplay between privacy, equity and civil rights] is the country’s first step towards a stronger stance on data privacy legislation and indicates that there is definitely a strong appetite in the US for greater consumer privacy laws. [California, Virginia and Colorado] have already approved legislation, and many others are already well underway… Over time, states will likely make various adjustments to their own laws based on what’s working and not working... but without an overarching federal framework, state-based legislation will continue to drive the privacy agenda in the US.
Arielle Garcia, chief privacy officer and senior vice-president of business operations and compliance, UM Worldwide: It does not appear likely that there will be a comprehensive federal privacy law passed within the next year. It is more likely that the Federal Trade Commission will continue to take a broad read on its role in enforcing existing law, as we saw with their recent policy statement [on data breaches by health apps]. It’s also likely that more limited federal proposals dealing with high-priority, privacy-related and privacy-adjacent issues will advance, such as enhancements to children’s privacy, as well as social media and algorithmic transparency. The two main sticking points on comprehensive federal law hindering bipartisan alignment have been preemption and private right of action, and there does not appear to be sufficient progress towards consensus on these issues.
Prediction 2: Ad industry self-policing will become more stringent
Stu Ingis, coordinator, Privacy for America: The advertising industry has been ahead of the curve in self-regulation of data practices for more than two decades. This will continue and expand through efforts like the Partnership for Responsible Addressable Media. Almost every area of law that impacts advertising has a corresponding self-regulatory framework that will continue to benefit the advertising ecosystem.
Walter Harrison, founder and chief executive officer, Tapestri: Self-policing is better than no policing; whether it’s Digital Advertising Alliance (DAA) or the Network Advertising Initiative (NAI), providing a centralized opt-out for consumers is a net positive. In our experience, the DAA provided a sense of comfort for the consumer. With that said, policies should still be written in partnership with the industry, not necessarily ‘just against’.
Anthony Katsur, chief executive officer, the Interactive Advertising Bureau (IAB) Tech Lab: Let’s be candid. Even though it has been well intentioned, the industry has not done an effective job of self-regulation as it relates to consumer privacy. However, I believe the tone has changed across the ecosystem. Government regulations, combined with big tech activity in the area of privacy, [have] acted as a forcing function for the entire industry to address issues of consumer consent and data privacy with incredible urgency. I don’t think any solution should rest with any single entity, government, private company or trade body. [All players] should work together to preserve addressability while maintaining rigorous standards around consent and privacy protection with real enforcement and penalties for bad actions. I think a private-public partnership in this area would best serve the entire digital media ecosystem and our most important constituent, the consumer.
Jessica B Lee, partner and co-chair of privacy, security and data innovations, Loeb & Loeb: These groups will start to pivot to co-regulation. From the standpoint of privacy advocates and regulators, self-regulation has not worked – it has not gone far enough or moved quickly enough to address the privacy harms that comprehensive privacy regulations aim to solve. Instead of self-regulation, I think industry groups will start to build solutions to support the industry’s efforts to comply with regulations – we have seen the IAB and the IAB Tech Lab move in this direction. I do think it is important that the industry have a seat at the table. The flow of data through the advertising ecosystem is very complicated and understanding those nuances and being able to craft solutions that address the privacy concerns without crushing the industry is important.
Prediction 3: Tech companies will continue rolling out ‘draconian’ policies
Joe Doran, chief product officer, Epsilon: Big tech platforms and walled gardens will continue to roll out draconian policies and new solutions in 2022 in the name of consumer privacy. These solutions will bring complexity and frustration to advertisers, publishers, developers and to the consumers they are trying to help. At the end of the day, these policies and solutions really just seem to benefit [tech companies] themselves and the economic moats they have created. The actions of big tech are all done under the guise of providing greater transparency and choice for the consumer – which is great, and I fully support – but big tech’s application is really done for their consumers and the data they collect inside their walled garden or their platform. They aren’t really helping the advertisers, publishers, developers or the consumers out on the open web or across the ecosystem.
Arielle Garcia, chief privacy officer and senior vice-president of business operations and compliance, UM Worldwide: Many of the changes by big tech are attempts to preempt and evade regulatory action that would be most damaging to the platforms, and there is a balancing act between advancing privacy-enhancing changes without attracting greater competition scrutiny. To that end, we’re likely to continue to [see] more measured actions by the platforms as it grows increasingly critical to mitigate the perception that their changes result in anti-competitive effects. For example, Apple recently began prompting for opt-in consent to Apple’s use of data for ad personalization, more in alignment with its AppTrackingTransparency policies for app developers.
Müge Fazlioglu, senior Westin research fellow, International Association of Privacy Professionals (IAPP): Where there is regulatory inaction, companies will fill the gaps – for better or worse. And this is so true in privacy today, which we know is something US consumers want and even expect, but [something] on which lawmakers are still divided. We will see more companies in competition over who offers the most privacy and security to consumers, and we will see more initiatives like the one announced by Twitter [this week] that it will not allow sharing of photos and videos without consent, with exceptions for things like public information and public interest. So, the dilemma for lawmakers will be how to craft laws that resonate with what consumers want and industry is doing – which is so hard to pin down – and avoid trying to impose obligations that no one agrees with.
DJ Landreneau, director of data privacy strategy, policy and compliance, Tealium: We don’t believe that tech companies are leading the regulations in a meaningful way in Europe. To a degree it can look that way, since regulators are constantly chasing new technology as it emerges. A recent example is the investigation led by the UK’s Information Commissioner’s Office and Belgium’s Data Protection Authority on real-time bidding. Even though it has been known that the real-time bidding practices are out of compliance with GDPR, the regulators are challenged by trying to chase after the ever-changing complexity of the technology. However, in the US, companies have had more of a hand in shaping, or preventing, regulations – resulting in regulations that are more in the companies’ interest than the end-users’. Florida’s privacy legislation failed to pass because businesses lobbied against private right to action, demonstrating that business interests [often win out] over end-users rights.
Prediction 4: The global wave swells
Fiona Davis, chief operating officer, Captify: At this point, nearly all countries globally are looking at some level of data privacy legislation, often using the GDPR as a blueprint and then adapting for their own market. Specifically in the US, they won’t necessarily be influenced by global lawmakers, but global action certainly adds fuel to the fire – it is a global phenomenon that the US needs to take a serious stance on, and is driven by consumer demands globally to address their data privacy rights in a meaningful way. There is a general trend of moving away from identity-based tracking. Consumers have made it clear that they do not want to be tracked at a user-by-user level, and global legislation will move increasingly towards this. More intrusive methods such as precise geo-location-based tracking and targeting will continue to be challenged by regulators in all markets.
J Trevor Hughes, chief executive officer and president, International Association of Privacy Professionals (IAPP): We should expect many more privacy and data protection laws in the coming year. Complexity will increase. Risks for non-compliant organizations will balloon. The trend lines indicate that both the number of countries with comprehensive laws and the complexity and divergence of those laws will increase. It is very likely that we will see India pass a data protection law in the early part of 2022. The bigger question – perhaps the biggest question – is when the US will find the political will to see a national privacy law enacted.
Mario Ciabarra, chief executive officer, Quantum Metric: The EU set the bar on privacy first with the GDPR, and we’ve seen others such as Canada, Saudi Arabia and China follow suit. In the US, we’ve seen states attempt to tackle this – such as California’s CCPA. This is making it more and more difficult for online businesses to navigate the world’s complex array of laws on privacy, especially when each law looks different. What we are going to start to see is that this spider web of rules will actually start to negatively impact smaller businesses who have a hard time keeping up with the growing list of global regulations. These businesses simply don’t have the manpower that an Amazon or Apple would have to track changing rules across the globe. We really need to establish a global organization that can help set that gold standard for data privacy. So far, the GDPR sets the highest standard and most comprehensive set of rules and penalties, and, generally speaking, abiding by the GDPR’s already-complex laws provides a strong guidance of how to take a privacy by default approach.
DJ Landreneau, director of data privacy strategy, policy and compliance, Tealium: We believe the spread of GDPR-style regulations across the globe is largely driven by a desire to be able to process EU data... Since countries without the appropriate ’level of adequacy’ aren’t allowed to process EU data, there’s a significant financial incentive for countries to pass their own regulations for their national companies to process EU data. It would be very surprising if the US doesn't eventually feel that pressure and move in a similar direction, especially because recent court decisions have made it clear that the US does not currently qualify as ’adequate’, and therefore EU data may not be processed there. Action across the globe will influence businesses and their desire to access those markets, the businesses in turn will influence US lawmakers to take action. Eventually the global community will need to align and agree on privacy legislation. If trying to maintain compliance with 50 different US states’ laws seems daunting, imagine trying to maintain compliance with 195 different countries’ laws.